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Abstract 


We  present  a  formal  system  to  reason  about  implicit  belief.  Implicit  belief  captures 
the  (possibly  probabilistic)  information  available  to  agents  in  probabilistic  distributed 
systems.  Our  system  also  deals  with  non-determinism  where  all  the  non-deterministic 
choices  are  made  at  the  beginning  of  the  computation.  We  demonstrate  the  natural¬ 
ness  of  our  approach  by  offering  new  analyses  and  solutions  to  some  classical  distributed 
computing  problems,  namely  the  coordinated  attack  and  authenticated  Byzantine  agree¬ 
ment. 


1  Introduction 

1.1  Uncertainty  in  Distributed  Systems 

Uncertainty  is  inherent  in  distributed  systems  and  is  what  distinguishes  their  study  from 
the  study  of  “parallel  computation”.  Uncertainty  arises  from  many  factors: 

1.  Lack  of  knowledge  of  system  configuration. 

2.  Lack  of  knowledge  of  the  protocol  being  run  by  other  processors. 

3.  Lack  of  knowledge  of  inputs  received  at  other  sites. 

4.  Unreliability  of  hardware  components  of  the  processors  or  communication  system. 

5.  Variability  of  processor  step  times. 

6.  Variability  of  message  delivery  times. 

7.  Unpredictability  of  random  coin  tosses. 

8.  Unpredictability  of  future  external  inputs. 

9.  Lack  of  compute  power  to  extract  knowledge  from  the  available  information. 

The  first  three  items  concern  uncertainties  of  an  individual  agent  (process)  in  the  system; 
these  uncertainties  are  of  facts  that  are  known  to  an  external  agent  with  a  global  view  of 
the  entire  system.  Items  4-8  concern  uncertainty  about  the  system  as  a  whole,  i.e.,  what 
course  the  run  of  the  system  will  take  in  the  future.  From  the  agent’s  local  point  of  view, 
all  of  these  items  have  the  potential  of  introducing  error  into  a  computation,  and  all  force 
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the  agent  to  view  its  own  knowledge  with  a  degree  of  skepticism.  In  this  work,  we  introduce 
a  formal  system  that  enables  one  to  reason  about  the  knowledge  of  an  agent  in  a  system 
that  has  elements  of  1-8.  Item  9  is  of  a  slightly  different  nature  as  it  concerns  issues  of 
computational  complexity.  It  is  a  non-issue  in  most  distributed  systems  (although  it  is 
a  major  issue  in  cryptographic  systems  [HMT87,FZ87,GMR85,TW87]).  In  the  interest  of 
simplicity  we  do  not  treat  it  in  this  paper,  although  we  believe  the  formal  system  of  reasoning 
about  knowledge,  probability,  and  time  presented  here  can  be  extended  to  encompass  the 
notions  of  relative  knowledge  and  belief  presented  in  [FZ87]. 

Generally  speaking,  uncertainty  may  be  considered  to  be  either  probabilistic  or  non- 
deterministic  in  nature.  If  we  have  some  a  priori  knowledge  that  uncertainty  is  determined 
by  a  random  process  independent  of  the  operation  of  the  system,  then  we  can  model  it  as 
a  random  variable,  i.e.,  probabilistic.  Else,  we  are  forced  to  consider  worst-case  scenarios, 
namely,  we  view  the  cause  of  uncertainty  as  if  it  were  controlled  by  an  “adversary”  who 
wants  to  cause  the  system  to  behave  as  “badly”  as  possible,  i.e.,  non-deterministic. 

1.2  Formal  Treatment  of  Uncertainty 

The  goal  of  this  paper  is  to  define  a  formal  system  adequate  to  describe  the  kind  of  “knowl¬ 
edge”  possessed  by  agents  in  distributed  systems  that  involve  elements  of  uncertainty.  Our 
approach  is  similar  to  that  of  [FH87,HMT87],  but  it  differs  in  two  major  respects: 

1.  Our  system  treats  uncertainty  due  to  lack  of  information  and  uncertainty  due  to  the 
unpredictability  of  future  random  events  in  a  uniform  way.  Thus,  we  can  give  an  exact 
characterization  of  the  “probabilistic  knowledge”  possessed  by  an  agent  at  the  end  of 
a  protocol  as  well  as  at  the  beginning. 

2.  We  handle  non-determinism  explicitly  in  our  model,  rather  than  trying  to  allow  for  it 
implicitly  by  making  certain  sets  unmeasurable.  The  resulting  system  appears  to  be 
more  expressive  as  well  as  being  simpler  and  more  natural. 

Consider  a  simple  2-party  protocol  between  agents  p  and  q  in  which  p  flips  a  private 
unbiased  coin  and  nothing  further  happens,  q  cannot  see  the  outcome  of  the  coin  toss.  Thus, 
there  are  only  three  global  states  in  the  system:  the  initial  state  So  before  the  coin  has  been 
flipped,  the  state  sh  in  which  the  coin  has  landed  “heads”,  and  the  state  st  in  which  the 
coin  has  landed  “tails”.  Because  the  coin  is  unbiased,  the  probabilities  of  reaching  s/,  from 
s0  and  of  reaching  st  from  So  are  both  1/2. 

In  state  so,  q  knows  that  the  coin  will  land  heads  with  probability  1/2.  Halpern,  Moses, 
and  Tuttle  (cf.  [HMT87])  would  express  this  fact  by  the  formula 

Kj^^heads 

which  says  that  q  knows  that  with  probability  at  least  1/2,  the  statement  “at  the  next  state 
(after  the  coin  has  been  flipped),  the  coin  will  be  heads”  holds,  where  the  probability  is 
taken  over  the  possible  future  extensions  of  the  run.  In  this  example,  there  are  two  equally 
likely  runs,  one  ending  in  s^  and  the  other  in  st.  Since  heads  is  true  at  the  end  of  the  first 
run  and  false  at  the  end  of  the  second,  q  reasons  in  sq  that  heads  will  hold  at  the  next  step 
1/2  of  the  time. 


After  the  coin  has  been  flipped,  q  still  does  not  know  the  outcome  (since  p  has  not  told 
him).  From  q's  perspective,  it  is  still  just  as  likely  that  the  coin  landed  “heads”  as  it  is  that 
it  landed  “tails”.  Intuitively,  the  statement 

Kj/2heads 

should  now  hold  and  reflect  this  uncertainty  in  q's  knowledge.  However,  the  [HMT87] 
logic  does  not  permit  this  uncertainty  to  be  expressed,  for  the  only  uncertainty  it  can 
accommodate  is  that  resulting  from  future  randomness.  After  the  coin  has  been  flipped, 
the  outcome  is  determined  and  there  is  no  more  future  uncertainty.  The  global  state  is  now 
either  s/,  or  st.  In  s heads  holds  with  probability  1,  and  in  st  it  holds  with  probability 
0,  but  in  neither  state  does  it  hold  with  probability  1/2.  Since  q  does  not  know  which  is 
the  true  state,  the  formula  K“heads  only  holds  for  a  equal  to  the  minimum  of  those  two 
probabilities,  which  is  0. 

In  our  system,  we  can  formalize  the  fact  that  at  the  end  of  this  protocol  q  considers  the 
two  states  s/,  and  st  to  be  equally  likely  and  therefore  has  confidence  1/2  that  the  coin  has 
landed  heads.  Confidence,  the  way  we  use  it,  is  well  defined;  its  intuitive  meaning  is  that, 
if  q  bets  even  money  on  heads  and  the  game  is  repeated  many  times,  then  its  expected  loss 
is  zero.  To  avoid  confusion  with  true  knowledge,  we  call  our  notion  of  knowledge  with  a 
possibility  of  error  implicit  belief ,  and  we  denote  it  with  the  symbol  B  instead  of  K. 

In  the  above  example,  the  formula 

Beheads 

holds  at  both  s *  and  st.  It  should  be  read,  “q  believes  with  confidence  1/2  that  the  coin 
has  landed  heads”.  It  might  seem  that  in  st  the  formula  should  not  hold.  However,  q  has 
no  clue  whether  the  real  state  is  st  or  s ^  as  it  cannot  distinguish  one  from  the  other.  The 
only  additional  information  q  obtained  about  the  outcome  of  the  coin  flip  is  that  it  had 
been  determined.  Therefore,  q  reasons  that  1/2  of  the  times  in  which  it  finds  itself  in  this 
situation  (of  the  coin  having  been  flipped  but  not  knowing  the  outcome),  the  true  state  is 
sj,  and  the  other  half  of  the  times  it  is  st.  Since  heads  is  true  in  S/,,  it  is  quite  reasonable 
for  q  to  believe  with  confidence  1/2  that  the  coin  is  “heads”. 

More  generally,  i  has  only  partial  information  about  the  true  global  state  s  of  the  system, 
so  i  must  consider  any  state  s'  possible  for  which  its  local  view  is  the  same  as  for  s.  Let  [s], 
be  the  set  of  all  such  states.  Even  though  i  cannot  distingiush  those  states,  it  does  have 
some  a  priori  knowledge  about  the  likelihood  of  being  in  each  of  those  states  (assuming 
for  the  time  being  that  we  are  considering  a  purely  probabilistic  system,  i.e.,  with  no  non- 
deterministism).  Namely,  since  the  probability  distribution  on  the  runs  of  the  system  is 
common  knowledge  to  all  agents,  i  can  determine  for  each  state  s'  6  [s],  the  probability 
of  the  system  being  in  s',  given  that  the  system  is  in  some  state  of  [s],  and  can  therefore 
determine  the  probability  of  being  in  a  state  in  which  <p  holds.  If  a  <  a lfi,  we  say  that 
agent  i  believes  ip  with  confidence  at  least  a  in  state  s,  which  we  write  as 

s  (=  B,V 

When  we  add  temporal  operators,  we  obtain  formulas  such  as  ^heads  mentioned  above 
which  are  neither  true  nor  false  at  a  given  state  but  rather  have  a  certain  probability  of 


being  true  there.  Definining  belief  with  confidence  a  of  such  formulas  requires  a  slight 
generalization  of  the  above  definition.  Details  are  presented  in  Section  3  below. 

Non-determinism  presents  a  special  problem  in  reasoning  about  probabilistic  protocols, 
for  how  can  one  talk  about  the  probability  of  a  statement  being  true  when  that  probability 
is  affected  by  non-deterministics  choices?  The  answer  is  that  one  can’t,  but  once  all  the 
non-deterministic  choices  are  fixed,  the  resulting  system  is  a  pure  probabilistic  one  and  the 
probability  of  a  formula  being  true  is  well  defined.  We  consider  only  initial  non-determinism, 
that  is,  the  non-deterministic  choices  must  be  made  before  the  protocol  is  run  and  before 
the  outcomes  of  any  of  the  coin  tosses  are  known.  This  allows  us  to  model  uncertainty  in 
network  parameters,  network  configuration,  initial  inputs,  and  protocols  run  by  the  other 
agents,  but  it  does  not  allow  us  to  handle  external  inputs  that  arrive  during  the  execution  of 
the  protocol  and  which  may  depend  (in  unknown  ways)  on  the  execution  history  up  to  that 
point.  We  leave  the  extension  of  our  formalism  to  full  non-determinism  for  future  work. 

Fagin  and  Halpern  [FH87]  define  a  formal  logic  for  reasoning  about  knowledge  and 
probability  which  is  based  on  Kripke  structures  that  have  been  extended  to  include  a  “sub¬ 
jective”  probability  space  for  each  agent  i  at  each  global  state  s.  Subjective  probability 
generalizes  the  indistinguishability  relationship  of  classical  knowledge  logic  and  tells  for 
each  set  of  states  S  the  agent’s  belief  that  the  true  state  belongs  to  S  when  in  fact  the  true 
state  is  s.  Because  of  non-determinism,  it  does  not  make  sense  to  assign  probabilities  to 
all  possible  sets  of  states.  Fagin  and  Halpern  note  that  it  is  okay  to  leave  such  problematic 
sets  unmeasurable  since  a  probability  space  does  not  require  that  all  sets  be  measurable. 
For  example,  in  game  G\  of  the  next  section,  the  probability  of  ending  up  in  the  set  {si,s3} 
is  either  0.5  or  0.8,  depending  on  the  initial  non-deterministic  choice,  so  there  is  no  single 
“right”  measure  to  assign  to  it. 

The  [FH87]  model  allows  additional  generality  that  might  be  used  in  trying  to  capture 
the  non-determinism  more  exactly.  For  example,  it  permits  an  agent  to  have  different 
subjective  probability  spaces  in  in  different  global  states.  While  this  additional  generality 
may  make  the  logic  more  expressive,  we  also  find  it  very  unnatural  that  an  agent’s  subjective 
probabilities  should  depend  on  information  not  available  to  it. 

The  main  contributions  of  this  paper  are  the  following: 

1.  We  present  a  formal  system  to  reason  about  “knowledge”  in  probabilistic  systems, 
where  knowledge  is  subject  to  a  probability  of  error.  Our  system  treats  uncertainty 
due  to  lack  of  information  and  uncertainty  due  to  unpredictability  of  probabilistic 
events  uniformly.  This  allows  one  to  make  pro1  abilistic  statements  about  a  random 
event  after  its  occurrence  and  before  information  about  its  outcome  has  been  obtained. 

2.  The  degree  of  confidence  expressed  by  our  notion  of  implicit  belief  corresponds  exactly 
to  the  worst-case  conditional  probability  of  a  fact  holding,  given  only  the  information 
in  the  local  view  of  the  agent.  Thus,  we  have  captured  all  of  the  probabilistic  knowl¬ 
edge  available  to  the  agent  in  the  worst  case,  that  is,  all  that  the  agent  can  count  on 
in  the  face  of  adversity. 

3.  Our  system  sheds  light  on  some  classical  problems  of  distributed  computing.  Namely, 
by  requiring  only  high  confidence  rather  than  certainty  in  the  outcome  of  a  protocol, 
we  can  obtain  easy  solutions  to  a  large  variety  of  problems,  some  of  which  are  are 
otherwise  provenly  insoluble.  We  demonstrate  our  approach  on  the  the  Coordinated 


Figure  1:  The  system  for  game  G\. 


attack  problem.  We  also  show  that  implementations  of  the  simple  authenticated 
Byzantine  agreement  protocol  of  [DS83]  using  digital  signatures  do  not  attain  either 
common  knowledge  or  certain  agreement.  All  they  attain  is  agreement  with  a  high 
degree  of  confidence. 


2  The  Computational  Model 

Throughout  the  paper  we  frequently  refer  to  two  slightly  more  involved  “coin-flipping” 
examples  G\  and  G2,  which  are  illustrated  in  Figures  1  and  2.  A  minor  variation  of  G\  is 
extensively  discussed  in  [FH87]. 

G is  This  game  is  played  by  two  agents,  p  and  q.  p  holds  two  seemingly  identical  coins,  Ci 
which  is  fair  and  c2  which  has  a  0.8  bias  towards  “heads”,  p  chooses  non-determi- 
nistically  one  of  the  coins  and  flips  it.  The  coin  falls  either  heads  or  tails. 

G2:  This  game  is  G\  with  an  additional  step:  After  p  chooses  a  coin  and  flips  it,  it  flips 
some  coin  C3  that  has  a  0.8  bias  to  “heads”.  If  C3  falls  heads,  p  tells  q  the  result  of  the 
first  coin  flip.  If  C3  falls  tails,  p  lies  to  q  about  the  result  of  the  first  coin  flip. 

We  model  a  terminating  synchronous  probabilistic  distributed  system  by  a  set  of  finite 
trees,  each  of  which  corresponds  to  some  nondeterministic  choice  that  could  be  made  in  the 
system,  i.e.,  we  assume  that  all  the  nondetreministic  choices  are  made  at  the  beginning.  For 
example,  in  G\  there  are  two  possible  trees,  T\  which  is  rooted  at  cj,  and  T2  which  is  rooted 
at  c2.  Each  node  in  each  of  the  trees  is  labelled  by  some  distinct  global  state ,  e.g.,  cj,  sj, 
S4,  etc.  An  internal  tree  node  s  which  has  k  outgoing  edges  leading  to  Si,...,a*,  labelled 
by  0i,..  .,0k  respectively,  corresponds  to  a  probabilistic  action  that  can  lead  from  s  to  s, 
with  probability  0,,  for  every  i  =  l,...,fc.  This  of  course  implies  that  =  1-  We 

use  pr(s,s')  to  denote  the  probability  of  reaching  s'  from  s  in  one  step,  i.e.,  pr(s,s')  is  the 
label  of  the  edge  leading  from  s  to  s'  if  s'  is  an  immediate  successor  of  s  in  the  tree,  and 
pr(s,s')  =  0  otherwise. 

For  every  node  s,  we  denote  by  tree(s)  the  tree  that  s  is  in.  We  associate  with  s  a 
probability  pr(s),  which  is  the  probability  of  reaching  s  from  the  root  of  tree(s),  i.e.,  pr(s ) 
is  the  product  of  the  labels  of  edges  on  the  path  leading  from  the  root  of  tree(s)  to  s.  For 
example,  in  G j,  pr(ci)  =  pr(c2)  =  1,  pr(sj)  =  pr(s2)  =  .5,  pr(s3)  =  .8  and  pr(s4)  =  .2. 


5i  ) heads 


s2  )  tails 
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$4  (tails 
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coin  chosen: 


coin  falls: 


c%  falls: 


p  says: 


Figure  2:  The  system  for  game  GV 

Let  S  be  an  independent  subset  of  states  (i.e.,  S  contains  no  two  states  that  are  on 
the  same  path).  We  define  the  probability  of  a  node  s  relative  to  the  set  S ,  denoted  by 
pr(s  |  5),  as  the  conditional  probability  of  the  real  state  being  s,  given  that  the  real  state 
is  in  S  fl  tree(s).  Formally, 

pr(s|5)  =  pr(s) /(  £  Pr(0)- 

tesntree(t) 

Note  that  by  this  definition,  pr(s  |  5)  =  pr(s  |  S  ft  tree(s)),  thus,  the  probability  is  taken 
only  over  those  states  of  5  that  are  in  the  same  tree  as  s. 

For  example,  consider  Figure  2.  Denote  the  left  tree  by  T\  and  the  right  tree  by  T^. 
Then  pr(?i)  =  0.4,  pr(t4)  =  0.1,  pr(f6)  =  0.16.  Let  S  =  Then 

pr(tj|5)  =  pr{t\  |  S  fl  7j) 

=  pr(f i  |  {<i, t<})  =  0.4/ (0.4  +  0.1)  =  0.8. 

Similarly,  pr(t4  |  5)  =  0.2  and  pr(<6  |  5)  =  1. 

Let  S  denote  the  set  of  all  possible  global  states.  We  assume  a  set  $  of  basic  facts,  and 
an  evaluation  function  a  that  maps  every  state  s  €  S  and  every  fact  <p  €  $  to  a  real  number 
a,(<p)  €  [0, 1].  The  number  0,(9)  denotes  the  degree  of  confidence  which  we  associate  with 
the  truth  of  <p  in  s.  Returning  to  G\,  let  $  =  {Cl, C2, heads, tails}  where  Cl  (resp.  C2) 
stands  for  “p  chose  c\  (resp.  C2)”,  and  heads  (resp.  tails)  stands  for  “the  coin  fell  ‘heads’ 
(resp.  ‘tails’)”.  Then,  we  define: 

•  a„(Cl)  =  1  and  a,(C2)  =  0  for  every  s  £  T\. 

•  a,(Cl)  =  0  and  a,(C2)  =  1  for  every  s  £  T2. 

•  oCl  (heads)  =  aCi  (tails)  =  (heads)  =  (tails)  =  0. 

•  a,,  (heads)  =  q,3  (heads)  =  o,,  (tails)  =  ati  (tails)  =  1. 


P 


•  a,,  (tails)  =  q4j  (tails)  =  a,,  (heads)  =  a,4  (heads)  =  0. 

We  extend  $  by  closing  it  under  boolean  operations  (i,  V,  and  A)  and  the  temporal 
operators  ^  (next  time)  and  ^  (eventually).  We  extend  the  degree  of  confidence  function 
a  using  the  following  rules:1 

a*(_1(v3))  =  1  “ 

o«(v,vV’)  =  max{af(v>),  a,(t/>)) 

a.(v>A^)  =  max{l  -  (1  -  a,(<p))  -  (1  -  a,(V>)),  0} 

=  max{a,(<p)  +  a,{r}>)  -  1,  0} 

=  £  pr(^')  •  <**'(<?) 

*'es 

<**($><?)  =  max{a,(yj),  ]T  pr(s,  s')  •  M  <$><?)} 

t’es 

For  example,  in  G\, 

«ci(^eads)  =  oc,(^tails)  =  0.5,  aC2(^heads)  =  0.8,  oCj(^tails)  =  0.2, 

and 

aCl(^(headsV  tails))  =  .5  •  a*, (heads  V  tails)  •+  0.5  •  a$3 (heads  V  tails) 

=  0.5  •  max{l,0}  +  0.5  ■  max{0, 1}  =  1. 

Let  S  be  some  subset  of  S.  We  extend  a  to  capture  the  degree  of  confidence  of  formulae 
<p  €  $  in  the  set  5,  denoted  by  as(<p).  Intuitively,  as(<p)  is  our  degree  of  confidence  that  ip 
is  true  given  that  we  know  the  true  state  is  in  S.  We  formally  define  it  by: 

as(<p)  =  min  £  a,(>p)  •  pr(s  |  S). 
e  »€SnT 

The  summation  expresses  the  degree  of  confidence  that  holds  in  S,  given  that  the  true 
state  is  in  tree  T.  Because  the  tree  is  chosen  non-deterministically,  we  minimize  over  the 
possible  trees  T. 

For  example,  consider  G 2  where  at(heads)  =  1  and  ot(tails)  =  0  for  every  t  e 
and  a((heads)  =  0  and  at(tails)  =  1  for  every  t  e  {<3,<4)*7,<s}-  Let  S  =  {<i,*4, fe},  then: 

as(heads)  =  min  a,(heads)  •  pr(s  |  S) 

Te{Ti,T2}  teSnT 

=  min{  o*(heads)  •  pr(s  |  {<1,  U}),  5Z  a*(heads)  •  pr(s  |  {t6})} 

=  min{ot, (heads)  •  0.8  +  at4(heads)  ■  0.2,  ote(heads)  •  1} 

=  min{l  •  0.8  +  0  •  0.2,  1  •  1}  =  min{0.8,  1}  =  0.8. 

Intuitively,  this  means  that  if  all  one  knows  is  that  the  system  is  in  one  of  S' s  states,  then 
we  can  bet,  with  80%  probability  of  success,  that  heads  holds. 

’When  we  say  that  ‘we  extend  and  4>  by  closing  it  under  some  operators’,  we  really  mean  that  construct 
a  new  which  we  close  under  the  new  as  well  as  the  old  operators,  and  then  term  it  4».  We  also  implicitly 
assume  that  all  the  previous  semantic  definitions  hold  for  the  new  $. 


3  Belief 


Consider  the  system  of  G\.  If  the  coins  look  identical,  then  agent  p,  who  chooses  the  coin 
and  flips  it,  cannot  distinguish  between  the  states  in  each  of  the  pairs  {ci,C2},  {si,a3},  and 
{s2,s<}.  It  can  however  distinguish  between  elements  of  different  pairs.  On  the  other  hand, 
q  can  only  distinguish  between  the  sets  {ci,C2}  and  but  cannot  distinguish 

between  pairs  of  elements  in  the  same  set. 

We  assume  that  for  each  agent  i  £  A  the  states  of  the  system  are  partitioned  by  some 
equivalence  relation  where  s  s'  if  agent  i  cannot  distinguish  between  s  and  s'.  For 
every  state  s  and  agent  i,  we  denote  by  [s],  the  set  of  states  that  are  indistinguishable  from 
s  by  i,  so  [s]i  =  {t  \  s  f}. 

For  example,  in  <7 2,  ~p  is  the  equivalence  relation  induced  by  the  partition  {{ci,C2}, 
{5i,53},{52?S4}){<i><s}>{<2,<6}5{<3i<7},{<4,<8}}>  and  is  the  equivalence  relation  in¬ 
duced  by  {{c l,C2},{Sl,...,S4},{tl,t4><5,<8}){<2»<3it6*<7}}- 

Consider  now  agent  q  when  the  system  G 2  is  in  t2,  i.e.,  when  Ci  was  chosen,  flipped  and 
fell  heads,  and  p  told  q  ‘tails’,  q  cannot  tell  whether  the  system  is  in  t2,  <3,  <6  ,  or  t2.  It 
however  knows  that  if  C\  was  chosen  (i.e.,  the  ‘real’  state  is  in  T\ ),  then  in  0.8  of  the  cases 
tails  is  true,  and  if  C2  was  chosen,  then  in  0.5  of  the  cases  tails  is  true.  Similarly,  if  ci  was 
chosen  then  in  0.2  of  the  cases  heads  is  true,  and  if  c2  was  chosen  then  in  0.5  of  the  cases 
heads  is  true.  Therefore,  q  believes  that  no  matter  which  coin  is  chosen,  tails  is  true  in  at 
least  0.5  of  the  cases,  and  heads  is  true  in  at  least  0.2  of  the  cases. 

Let  B,<p  denote  that  uq  believes,  with  degree  of  confidence  at  least  0,  that  if  holds”. 
Then,  in  <2* 

B°5tails  and  B°2heads. 

Formally,  we  say  that  for  every  agent  i  £  A,  probability  0  £  [0, 1],  and  formula  <p  £  $, 
Bf<p  holds  in  a  state  s  £  S  iff  <p  is  true  in  [s]i  with  degree  of  confidence  at  least  0,  i.e., 

s  \=  BfvJ  iff  o(jjt(y>)  >  0 


We  next  extend  the  set  $  to  by  adding  the  belief  operators  Bf  for  every  i  £  A  and 
0  €  [0,1]  to  the  set  of  operators  in  Section  2.  We  extend  a  to  by  adding  the  following  case 
to  the  definition  of  Section  2: 


if  s  [=  Bf  ^ 
otherwise 


If  for  some  s  £  S,  i  6  A,  and  if  £  s  ^  B'i^,  then  we  say  that  in  s  agent  t  knows  if, 
and  abbreviate  5  )=  B,V  to  j  )=  K nf.  Note  that  s  ^  K,i^  if  0^(9)  =  1,  i.e.,  if  if  is  true 
with  certainty  in  all  the  states  that  are  indistinguishable  to  i  from  s,  so  that  our  notion  of 
knowledge  coincides  with  the  “classical"  definitions  (see,  e.g.,  [HM84,FI86]). 

Let  us  return  to  G\.  At  the  beginning,  the  system  is  in  either  Cj  or  c2.  Both  p  and  q 
believe  that  the  coin  will  fall  heads  with  probability  at  least  0.5,  and  tails  with  probability 
at  least  0.2.  Indeed,  we  check  that  for  every  i  £  {p,g}  and  c  £  {ci,c2}, 

a(c].(<$>heads)  =  mi".  L  Q,(  Aheads)pr(s  |  [c],) 

TelT”Tj}.€[cj,nr 


=  min{QCl(^>heads)  pr(ci  |  {ci}), aC2(^>heads)  •  pr(c2  |  {c2})} 

=  min{0.5  ■  1,0.8  •  1}  =  0.5 

and  similarly  that  a[c],(  ^tails)  =  0.2.  Hence,  c  |=  B°  5(  ^heads)  and  c  )=  B°  2(^tails). 

However,  after  the  coin  has  been  flipped  (i.e.,  in  sj,...,s4),  p  knows  the  result  of  the 
coin  flip  while  q  has  gained  no  additional  information  about  the  result  of  the  coin  flip. 
Indeed,  we  can  see  that 

«{*,]p(heads)  =  Q{,liJ3}(heads)  =  1  and  oMp(tails)  =  a{<I,,3}(tails)  =  0, 

whereas 

°M,(headS)  =  a{»! . »«}(heads)  =  0-5  aild  °[si],(ta'ls)  =  °{*1 . »4}(ta'IS)  =  0-2' 

So  Si  (=  Kpheads,  whereas  si  (=  Beheads  is  only  true  for  0  <  0.5.  This  corresponds  to  our 
intuition  that  p  knows  the  outcome  but  q  has  learned  nothing  of  it. 

4  Coordinated  Attack 

Consider  the  Coordinated  Attack  problem  as  stated  in  [HM84]: 

Two  divisions  of  army  are  camped  on  two  hilltops  overlooking  a  common  valley. 

In  the  valley  awaits  the  enemy.  It  is  clear  that  if  both  divisions  attack  the  enemy 
simultaneously  they  will  win  the  battle,  whereas  if  only  one  division  attacks  it 
will  be  defeated.  The  divisions  do  not  initially  have  plans  for  launching  an 
attack  on  the  enemy,  and  the  commanding  general  of  the  first  division  wishes 
to  coordinate  a  simultaneous  attack  (at  some  time  the  next  day).  . . .  The 
generals  can  only  communicate  by  means  of  a  messenger.  Normally,  it  takes  the 
messenger  one  hour  to  get  from  one  encampment  to  the  other.  However,  it  is 
possible  that  he  will  get  lost  in  the  dark,  or,  worse  yet,  captured  by  the  enemy. 

. . .  How  long  will  it  take  to  coordinate  an  attack? 

A  correct  solution  (protocol)  should  guarantee: 

Safety:  If  either  party  attacks,  then  they  both  attack  at  the  same  time. 

It  is  shown  in  [HM84],  that  no  correct  solution  to  the  problem  will  ever  result  in  a  coordi¬ 
nated  attack.  The  results  of  [HM84]  apply  even  if  we  assume  some  fixed  probability  0  of 
the  messenger  successfully  delivering  a  message  within  one  hour.2 

Suppose  however  that  we  are  given  such  a  probability  0,  and  we  look  for  solutions 
that  satisfy  some  weaker  safety  requirement.  For  example,  consider  the  7 -weak  coordinated 
attack  problem  in  which  we  require: 

7- Weak  Safety:  The  probability  that  both  parties  attack  at  the  same  time,  given  that 
one  party  attacks,  is  at  least  7. 

JThis  observation  is  due  to  John  Ge&n&koplos. 


If  7  <  p  then  the  problem  has  a  trivial  solution:  The  first  general  (say  p)  sends  a 
message  to  the  other  general  (say  q)  with  the  attack  time  f,  and  then  attacks  at  this  time. 
If  q  receives  the  message,  he  also  attacks  at  the  designated  time.  Thus,  p  always  attacks 
at  time  t,  and  since  q  receives  p’s  message  with  probability  /?,  q  attacks  at  time  t  with 
probability  (3.  Since  j3  >  7,  7-weak  safety  is  satisfied. 

There  are  also  solutions  when  7  >  /?.  For  example,  if  k  is  such  that  (1  -  (3)k  <  (1  -  7), 
then  p  can  send  k  messengers  to  q  carrying  identical  messages,  and  q  attacks  if  it  receives 
one  or  more  messages.  This  occurs  with  probability  at  least  1  —  (1  -  f3)k  >  7. 

Thus,  we  obtain: 

Theorem  1  The  'y-weak  coordinated  attack  problem  has  a  correct  solution  for  any  >  0, 
where  (3  is  the  probability  of  the  messenger  successfully  delivering  the  message,  providing  at 
least  flog(l  —  7)/log(l  —  (3)]  messengers  are  available. 

The  crucial  point  in  the  [HM84J  proof  that  the  problem  cannot  be  solved  is  that  the 
parties  need  to  obtain  common  knowledge  about  the  attack  time.  (See  the  discussion  there 
about  common  knowledge.)  The  system  we  set  forth  is  much  weaker,  as  it  allows  p  to  attack 
at  time  t  when  it  only  believes  the  other  party  will  attack  but  is  not  certain. 

Theorem  2  In  any  protocol  solving  the  7 -weak  coordinated  attack  problem  and  any  global 
state  s,  if  p  attacks  in  s  then 

s  )=  B^q  attacks , 

and  if  q  attacks  in  s  then 

s  N  B^p  attacks. 

We  can  also  prove  a  kind  of  converse  to  Theorem  2: 

Theorem  3  Consider  any  protocol  C  such  that  for  some  7  6  [0, 1]  and  for  every  global 
state  s,  if  p  attacks  in  s  then 

s  f=  BJIg  attacks, 

and  if  q  attacks  in  s  then 

s  ^  Bgp  attacks. 

Then  C  solves  the  -y'-weak  coordinated  attack  problem  for  7'  =  7/(2  -  7). 

For  comparison,  the  [HM84]  proof  relates  to  systems  that  guarantee  that  p  attacks  in 
state  s  only  when 

s  |=  K pq  attacks. 

5  Authenticated  Byzantine  Agreement 

Authenticated  Byzantine  Agreement  (ABA)  is  Byzantine  agreement  under  the  assumption 
of  authentication.  See  [DS83]  for  a  thorough  discussion  on  the  subject.  For  example,  it  is 
said  there  that: 


. . ,  we  assume  a  protocol  that  will  prevent  any  processor  from  introducing 
a  new  value  or  message  into  the  information  exchange  and  claiming  to  have 
received  it  from  another  ...” 

Indeed,  all  the  Byzantine  agreement  protocols  proposed  there  make  heavy  use  of  some  ideal 
authentication  scheme  that  guarantees  the  above. 

For  example,  consider  the  simple  protocol  P  for  achieving  ABA  in  [DS83]: 

1.  Initially,  every  processor  p  has  a  set  of  values  Cp  =  0,  and  some  default  value  vj. 

2.  At  step  1,  the  sender  sends  a  signed  message  with  its  value  to  all  the  processors. 

3.  At  every  step  k  =  2,...,/  +  1,  every  processor  p  that  received  a  properly  signed 
message  m  in  the  previous  step  containing  a  value  v  g  Cp,  adds  v  to  Cp,  places  his 
signature  on  m  to  obtain  a  new  message  m\  and  sends  m'  to  all  processors.  A  message 
received  in  step  r  is  properly  signed  if  it  is  signed  by  r  distinct  processors,  the  first  of 
which  is  the  sender  and  the  last  of  which  is  the  process  from  which  the  message  was 
received. 

4.  At  the  end  of  step  t  +  1,  every  processor  p  for  which  Cp  =  {t>}  for  some  t;  chooses  that 
w,  and  every  other  processor  p  chooses  the  default  value  vj. 

Dolev  and  Strong  [DS83]  show  that  the  above  protocol  indeed  guarantees  Byzantine 
agreement  if  the  number  of  faulty  processors  is  at  most  t.  However,  suppose  that  the 
signature  scheme  is  not  totally  secure,  so  that  under  certain  circumstances  a  faulty  processor 
can  forge  the  signature  of  a  reliable  one.  Consider  the  case,  for  example,  that  the  sender 
is  nonfaulty  and  sent  v  ^  vj  in  step  1.  At  step  t  +  1,  a  faulty  processor  might  send 
to  some  of  the  correct  processors  a  message  that  contains  another  value  v'  together  with 
the  forged  signature  of  the  sender  and  (valid)  signatures  of  the  t  faulty  processors.  Those 
correct  processors  receiving  this  bogus  message  will  choose  vj,  whereas  the  remaining  correct 
processors  will  choose  v  ^  thereby  violating  Byzantine  agreement. 

If  the  sender  is  faulty,  then  it  is  sufficient  for  the  faulty  processors  to  forge  a  signature 
of  any  one  correct  processor.  The  argument  proceeds  along  the  same  lines. 

The  scenarios  described  above  might  not  be  very  likely;  however,  they  have  a  posi¬ 
tive  probability  of  occurring  when  authentication  is  implemented  through  cryptographic 
techniques.  For  example,  a  signature  might  be  forged  simply  through  random  coin  flips; 
thus,  forgery  is  always  possible  with  probability  at  least  2~N ,  where  N  bounds  the  mes¬ 
sage  length.  Thus,  a  real-life  implementation  of  this  protocol  does  not  achieve  Byzantine 
agreement  since  agreement  sometimes  fails  to  be  reached. 

What  then  is  achieved?  We  define 

7-Weak  Agreement:  With  probability  at  least  7,  all  correct  processors  choose  the  same 
value. 

7-Weak  Liveness:  If  the  sender  is  non-faulty,  then  with  probability  at  least  7,  all  correct 
processors  choose  the  sender’s  value. 

A  protocol  achieves  7-weak  Byzantine  agreement  if  it  satisfies  7-weak  agreement  and  7-weak 
liveness  for  any  choice  of  faulty  processors.  We  then  have  the  following  theorem. 


Theorem  4  If  the  probability  of  the  faulty  processors  successfully  forging  the  signature  of 
a  reliable  processor  is  at  most  1  —  7,  then  protocol  P  achieves  7 -weak  Byzantine  agreement. 

Dwork  and  Moses  [DM86]  introduce  the  notion  of  Simultaneous  Byzantine  Agreement 
(SBA),  which  is  Byzantine  agreement  in  which  all  processors  choose  values  at  the  same 
step.  They  show  that  any  protocol  that  achieves  SBA  must  satisfy 

p  chooses  v  =>  Kp  (every  correct  q  chooses  v) 

for  every  correct  processor  p.  Protocol  P,  when  run  in  an  idealized  environment  with  perfect 
authentication,  achieves  SBA,  for  all  processors  decide  at  the  same  step  (cf.  [DM86]). 

A  7-weak  Byzantine  agreement  protocol  does  not  satisfy  SBA  since  it  does  not  even 
achieve  agreement.  We  define  a  corresponding  weak  notion  of  SBA,  termed  7-SBA,  by 
replacing  the  condition  of  7-weak  agreement  with: 

7-Weak  Simultaneous  Agreement:  With  probability  at  least  7,  all  correct  processors 
choose  the  same  value  at  the  same  step. 

In  the  full  paper,  we  prove  the  following: 

Theorem  5  Every  7- SBA  protocol  satisfies 

p  decides  v  =>  B ^(every  correct  q  decides  v) 
for  every  correct  processor  p. 

6  Further  Work 

Real-world  systems  must  make  decisions  based  on  uncertain  information.  We  have  shown 
how  to  model  uncertainty  in  the  framework  of  knowledge  logics,  and  we  have  shown  how 
allowing  for  uncertainty  in  two  classical  problems  of  distributed  computing  radically  alters 
their  properties.  We  believe  this  work  is  important  not  only  for  the  formal  machinery  it 
provides  but  also  to  help  clarify  people’s  thinking  in  making  subtle  distinctions  between 
probabilistic  and  non-deterministic  choices,  and  we  expect  to  be  influential  in  future  dis¬ 
tributed  computing  research. 

We  leave  as  an  open  problem  the  extension  of  our  framework  to  eliminate  the  assumption 
that  all  non-deterministic  choices  are  made  before  the  protocol  has  begun.  To  do  so  will 
require  one  to  handle  alternations  of  non-deterministic  and  probabilistic  choices,  which  will 
give  rise  to  expressions  of  alternating  minimization  and  summation  operators. 

In  order  to  reason  about  cryptographic  protocols,  it  is  necessary  to  introduce  feasibility 
into  notions  of  knowledge  and  belief.  Intuitively,  computational  complexity  considerations 
are  like  dark  glasses  over  the  eyes  of  an  agent.  Even  though  an  agent’s  local  view  of 
two  states  is  not  the  same,  he  may  not  be  able  to  make  any  useful  distinctions  between 
them  and  thus  should  believe  a  fact  with  the  same  confidence  as  if  the  states  were  totally 
indistinguishable  to  him.  We  address  this  issue  in  [FZ87]  in  which  we  express  what  an 
accepting  verifier  believes  at  the  end  of  an  interactive  proof  of  “knowledge”  using  concepts 
of  relative  knowledge  and  belief  developed  there.  We  are  currently  working  to  extend  those 
concepts  to  the  temporal  logic  framework  presented  here. 
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